Getting your Iphone to work with Exchange Active Sync SSL Certificate
19 08 2008
I recently set up an Iphone to work with Microsoft Exchange 2007. It was a bit complicated so I thought I would post the instructions for others.
The Exchange 2007 server was using a self signed SSL certificate and the Iphone was a first generation with the 2.0 firmware.
This article assumes the following:
-You have Active Sync enabled on the user’s mailbox
-You have updated to at least the 2.0 iphone firmware (can be updated via Itunes)
-You will need your SSL .CER file (click here for how to get the .CER file)
-You should have Exchange 2007 SP1
I would recommend backing up the information on your Iphone to Itunes before you start.
The user was getting an authentication failed message when he entered the Exchange info manually. I believe this is because the device was missing the Exchange SSL certificate. So here’s what to do.
Download the iPhone Configuration Web Utility
Follow the instructions in the Enterprise Deployment Guide.
This will allow you to create a configured profile that the user just has to install. You will need to either send it to the user’s personal email that is already configured on the Iphone or make it web accessible to they can download it to their Iphone.
Accessing the iPhone Configuration Web Utility
The iPhone Configuration Web Utility runs as a web server on your local computer on port 3000. To access the utility go to you web browser and type
Username: admin
Password: admin
1. Fill out all settings on the “General Settings” tab.
2. Upload your .CER file through the Credentials Settings page.
3. Fill out the settings under “Exchange Settings” Note that the “Exchange ActiveSync Host” field should read mail.example.com and not https://mail.example.com. There is a “Use SSL” check box instead of the HTTPS:// prefix. Also “User” should be entered as domain\username.
4. Have the user install the config file. The easiest way to do this would be to email the config file to the user’s personal email account that is already setup and have them click it. You could also upload it to a website or a site like filedropper
The user mentioned that he had lost all of his contacts after the config was installed. The contacts came back after the phone successfully synced with the server, others mentioned that they had to power cycle their phones for the contacts to come back.
More resources are available here.
Good luck!
Thank you for posting this, I was scratching my head until I found your guide.
This worked for me.
I have the new 3g Iphone.
Anyone using a self-signed SSL cert with success? I’m still having problems and I’m wondering if I need to buy a MS approved ROOT Cert. Help?
Hi Eric,
I was able to use the self signed cert just fine.
Where are you getting stuck?
Andy
I’ve been haveing a fun time too with SSL activesync and an iphone. I haven’t for the life of me been able to get all 3 working together until folloing your solution using the iphone config utility. Thanks!
However, I wonder if it really is working because when I set IIS to accept only SSL connections, my iphone no longer syncs! OWA works perfect with only SSL, so I assume my certificate (godaddy) are set up correctly. The Profile on the iphone has the setting greyed out, but it does indicate SSL in enabled.
I wonder if when I profile is set up in this manner, that if SSL is not availble it turns it off. In which case I am back to square one!
Interestingly, when I installed the profile on the iphone, includeing the certificate, it said that it was not from a valid authority. Did you experiance the same thing?
Chris
Hi Chris,
What version of Exchange are you running?
Are you using the Godaddy certificate on Exchange, OWA, and the Iphone?
Also, if you setup a profile with SSL enabled using the config utility, you cannot manually change the SSL setting on the Iphone.
I don’t know that this serves any useful purpose but you could try to manually setup the profile but you would have to find a way to install the SSL cert without the utility, you may be able to email it to your Iphone through a IMAP gmail account.
Andy
@Andy
To answer your questions:
>What version of Exchange are you running?
Exchnage 2003 SP2
>Are you using the Godaddy certificate on Exchange, OWA, and the Iphone?
Yes, in fact I even tried including the GoDaddy root and intemediate certificates in the profile I created with the iPhone Configuration Utility.
Having said that, I think I finally have a solution! I now have “Require secure channel (SSL)” checked without breaking activesync! Instructions are here:
http://support.microsoft.com/kb/817379
Chris.